security key-manager key query

Displays the key IDs stored in a key management server.

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command displays the IDs of the keys that are stored in the configured key managers. This command does not update the key tables on the node.

Parameters

{ [-fields <fieldname>, ...]
If you specify the -fields <fieldname>, ... parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.
| [-instance ]}
If you specify the -instance parameter, the command displays detailed information about all fields.
[-node {<nodename>|local}] - Node
Use this parameter to specify the name of the node that queries the specified key management servers. If this parameter is not specified, then all nodes query the specified key management servers.
[-vserver <vserver name>] - Vserver Name
Use this parameter to specify the Vserver for which to list the keys.
[-key-server <Hostname and Port>] - Key Server
This parameter specifies the host and port of the key management server that you want to query. This parameter is used only with external key managers.
[-key-id <Hex String>] - Key Identifier
If you specify this parameter, then the command displays only the key IDs that match the specified value.
[-key-tag <text>] - Key Tag
If you specify this parameter, then the command displays only the key IDs that match the specified value. The key-tag for Volume Encryption Keys (VEKs) is set to the UUID of the encrypted volume.
[-key-type <Key Usage Type>] - Key Type
If you specify this parameter, then the command displays only the key IDs that match the specified value.
[-restored {true|false}] - Restored
This parameter specifies whether the key corresponding to the displayed key ID is present in the specified node's internal key table. If you specify 'yes' for this parameter, then the command displays the key IDs of only those keys that are present in the system's internal key table. If you specify 'no' for this parameter, then the command displays the key IDs of only those keys that are not present in the system's internal key table.
[-key-store <Key Store>] - Key Store
Use this parameter to specify the key manager type from which to list the keys.
[-key-user <vserver name>] - Key User
If you specify this parameter, then the command displays only the key IDs that are used by the specified Vserver.

Examples

The following example shows all of the keys on all configured key servers, and whether or not those keys have been restored for all nodes in the cluster:

cluster-1::> security key-manager key query

       Vserver: cluster-1
   Key Manager: onboard
          Node: node1
    Key Server: ""

Key Tag                               Key Type  Restored
------------------------------------  --------  --------
node1                                 NSE-AK    yes
    Key ID: 000000000000000002000000000001000c11b3863f78c2273343d7ec5a67762e0000000000000000
node1                                 NSE-AK    yes
    Key ID: 000000000000000002000000000001006f4e2513353a674305872a4c9f3bf7970000000000000000
node1                                 NSE-AK    yes
    Key ID: 00000000000000000200000000000100e1f6b27094485d2d74408bca673b25eb0000000000000000
node1                                 NSE-AK    yes
    Key ID: 00000000000000000200000000000100ea73be83ec42a7a2bd262f369cda83a40000000000000000

       Vserver: datavs
   Key Manager: external
          Node: node1
    Key Server: keyserver.datavs.com:5965


Key Tag                               Key Type  Restored
------------------------------------  --------  --------
eb9f8311-e8d8-487e-9663-7642d7788a75  VEK       yes
    Key ID: 0000000000000000020000000000004001cb18336f7c8223743d3e75c6a7726e0000000000000000
9d09cbbf-0da9-4696-87a1-8e083d8261bb  VEK       yes
    Key ID: 0000000000000000020000000000004064f2e1533356a470385274a9c3ffb9770000000000000000
40c3546e-600c-401c-b312-f01be52258dd  VEK       yes
    Key ID: 000000000000000002000000000000401e6f2b09744582d74d084cb6a372be5b0000000000000000
9b195ecb-35ee-4d11-8f61-15a8de377ad7  VEK       yes
    Key ID: 00000000000000000200000000000040ea73be83ec42a7a2bd262f369cda83a40000000000000000

       Vserver: cluster-1
   Key Manager: onboard
          Node: node2
    Key Server: -


Key Tag                               Key Type  Restored
------------------------------------  --------  --------
node1                                 NSE-AK    yes
    Key ID: 000000000000000002000000000001000c11b3863f78c2273343d7ec5a67762e0000000000000000
node1                                 NSE-AK    yes
    Key ID: 000000000000000002000000000001006f4e2513353a674305872a4c9f3bf7970000000000000000
node1                                 NSE-AK    yes
    Key ID: 00000000000000000200000000000100e1f6b27094485d2d74408bca673b25eb0000000000000000
node1                                 NSE-AK    yes
    Key ID: 00000000000000000200000000000100ea73be83ec42a7a2bd262f369cda83a40000000000000000

       Vserver: datavs
   Key Manager: external
          Node: node2
    Key Server: keyserver.datavs.com:5965

Key Tag                               Key Type  Restored
------------------------------------  --------  --------
eb9f8311-e8d8-487e-9663-7642d7788a75  VEK       yes
    Key ID: 0000000000000000020000000000004001cb18336f7c8223743d3e75c6a7726e0000000000000000
9d09cbbf-0da9-4696-87a1-8e083d8261bb  VEK       yes
    Key ID: 0000000000000000020000000000004064f2e1533356a470385274a9c3ffb9770000000000000000
40c3546e-600c-401c-b312-f01be52258dd  VEK       yes
    Key ID: 000000000000000002000000000000401e6f2b09744582d74d084cb6a372be5b0000000000000000
9b195ecb-35ee-4d11-8f61-15a8de377ad7  VEK       yes
    Key ID: 00000000000000000200000000000040ea73be83ec42a7a2bd262f369cda83a40000000000000000